Filter
Top Products
Chapter 17 IPSec VPN
ZyWALL (ZLD) CLI Reference Guide
144
17.2.2 IPSec SA Commands (except Manual Keys)
This table lists the commands for IPSec SAs, excluding manual keys (VPN connections using VPN
gateways).
group1
group2
group5
Sets the DHx group to the specified group.
[no] natt Enables NAT traversal. The
no command disables NAT traversal.
local-ip {ip {ip | domain_name} |
interface interface_name}
Sets the local gateway address to the specified IP address, domain
name, or interface.
peer-ip {ip | domain_name} [ip |
domain_name]
Sets the remote gateway address(es) to the specified IP
address(es) or domain name(s).
keystring pre_shared_key Sets the pre-shared key that can be used for authentication. The
pre_shared_key can be:
• 8 - 32 alphanumeric characters or ,;|`~!@#$%^&*()_+\{}':./
<>=-".
• 16 - 64 hexadecimal (0-9, A-F) characters, preceded by “0x”.
The pre-shared key is case-sensitive.
local-id type {ip ip | fqdn domain_name |
mail e_mail | dn distinguished_name}
Sets the local ID type and content to the specified IP address,
domain name, or e-mail address.
peer-id type {any | ip ip | fqdn
domain_name | mail e_mail | dn
distinguished_name}
Sets the peer ID type and content to any value, the specified IP
address, domain name, or e-mail address.
[no] xauth type {server xauth_method |
client name username password password}
Enables extended authentication and specifies whether the ZyWALL
is the server or client. If the ZyWALL is the server, it also specifies
the extended authentication method (
aaa authentication
profile_name); if the ZyWALL is the client, it also specifies the
username and password to provide to the remote IPSec router. The
no command disables extended authentication.
username: You can use alphanumeric characters, underscores (_),
and dashes (-), and it can be up to 31 characters long.
password: You can use most printable ASCII characters. You cannot
use square brackets [ ], double quotation marks (“), question marks
(?), tabs or spaces. It can be up to 31 characters long.
isakmp policy rename policy_name policy_name Renames the specified IKE SA (first policy_name) to the specified
name (second policy_name).
Table 71 isakmp Commands: IKE SAs (continued)
COMMAND DESCRIPTION
Table 72 crypto Commands: IPSec SAs
COMMAND DESCRIPTION
[no] crypto ignore-df-bit Fragment packets larger than the MTU (Maximum Transmission
Unit) that have the “don’t” fragment” bit in the header turned on.
The
no command has the ZyWALL drop packets larger than the
MTU that have the “don’t” fragment” bit in the header turned on.
show crypto map [map_name] Shows the specified IPSec SA or all IPSec SAs.
crypto map dial map_name Dials the specified IPSec SA manually. This command does not
work for IPSec SAs using manual keys or for IPSec SAs where the
remote gateway address is 0.0.0.0.
[no] crypto map map_name Creates the specified IPSec SA if necessary and enters sub-
command mode. The
no command deletes the specified IPSec SA.